Unable to get a certificate, timeout error


#1

Hello!

My domain is: pstn.pw

I ran this command: sudo certbot --nginx -d pstn.pw -d www.pstn.pw

My site loads on port http (port 81) (tested from my phone on data)

It produced this output:

Failed authorization procedure. pstn.pw (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://pstn.pw/.well-known/acme-challenge/GB60qkU-hVV3V494qLjbRbZAVY6LbKIsBO19RlxwhK8: Timeout, www.pstn.pw (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.pstn.pw/.well-known/acme-challenge/tGbwnZurUlCvJ-EiZNugv7fV0fBwkMh7NKCgDn8OM3s: Timeout

IMPORTANT NOTES:

My web server is (include version): tomcat/nginx

The operating system my web server runs on is (include version): ubuntu 16.04

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

any ideas?

thank you in advance


#2

Hi @pstn,

I also see a timeout when trying to connect to this server. Do you have an existing web server that you expect is speaking HTTP on port 80? Do you have any kind of firewall that might be blocking incoming connections on that port?


#3

Hi,

my http is on port 81 (isp blocks 80). So I use pstn.pw:81 does that work for you? My firewall is off.

thanks


#4

Nope, the use of port 80 is actually mandatory for this validation method (not only because of Let’s Encrypt’s own policy but because of industry standards in the CA industry related to permitted validation methods for DV certificates). [Edit: to be clearer, yes, the port 81 version of your site does work fine for me in my web browser, but the Let’s Encrypt CA won’t perform a validation on that port.]

If you can’t use port 80, Let’s Encrypt also offers a method called DNS-01 where you can prove control of the domain name by changing certain DNS records in your DNS zone. Would that work for you? Do you host your own DNS or does your DNS provider offer an API for making changes to a zone?


#5

Do I just need port 80 open on my router? or the site to be running on port 80?

That’s weird because last month I was on debian and I got it working, I remember messing around with port 80, maybe I could try opening it on my router to see what happens… I’ll get back to you.

thanks!


#6

You need the server that’s performing the validation to be able to receive connections from the Internet on port 80, from the outside world’s point of view. How that’s implemented in terms of routers and port forwarding is up to you. If your ISP is blocking connections on port 80, you presumably won’t be able to do this on that ISP at all.

Well, a month or so ago, it was still possible (and the default behavior with Certbot’s --nginx option) to do validations on port 443, but that’s changed during that time.

So maybe you’re now seeing the consequences of that change if your ISP does allow inbound connections on port 443.